Re: [PATCH] futex: Drop CLONE_THREAD requirement for private default hash alloc

From: Andrew Morton

Date: Sat May 02 2026 - 13:24:53 EST


On Sat, 2 May 2026 18:57:29 +0300 Mohamed Ayman <mohamedaymanworkspace@xxxxxxxxx> wrote:

> From: Davidlohr Bueso <dave@xxxxxxxxxxxx>
>
> Currently need_futex_hash_allocate_default() depends on strict pthread
> semantics, abusing CLONE_THREAD. This breaks the non-concurrency
> assumptions when doing the mm->futex_ref pcpu allocations, leading to
> bugs[0] when sharing the mm in other ways; ie:
>
> BUG: KASAN: slab-use-after-free in futex_hash_put
>
> ... where the +1 bias can end up on a percpu counter that mm->futex_ref
> no longer points at.
>
> Loosen the check to cover any CLONE_VM clone, except vfork(). Excluding
> vfork keeps the existing paths untouched (no overhead), and we can't
> race in the first place: either the parent is suspended and the child
> runs alone, or mm->futex_ref is already allocated from an earlier
> CLONE_VM.
>
> Link: https://lore.kernel.org/all/CAL_bE8LsmCQ-FAtYDuwbJhOkt9p2wwYQwAbMh=PifC=VsiBM6A@xxxxxxxxxxxxxx/ [0]
> Fixes: d9b05321e21e ("futex: Move futex_hash_free() back to __mmput()")
> Reported-by: Yiming Qian <yimingqian591@xxxxxxxxx>
> Signed-off-by: Davidlohr Bueso <dave@xxxxxxxxxxxx>
> Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>

I hate to get all bureaucratic, but....

Given what you've sent and from my reading of the security@ and
linux-kernel@ lists,

- I can't find a patch from Davidlohr which looks like this one - I
can't figure out where you got that from.

- I can't find any code from Linus which would lead to the addition of
his Signed-off-by:. I don't know where you got that from either.

- Let's cc the author of the Fixes target, Sebastian?

I'd like to have this metadata tightened up, please - so a reader of
this patch can understand who did & said what and when and why.

Thanks.

> kernel/fork.c | 12 +++++-------
> 1 file changed, 5 insertions(+), 7 deletions(-)
>
> diff --git a/kernel/fork.c b/kernel/fork.c
> index f1ad69c6dc2d..5f3fdfdb14c7 100644
> --- a/kernel/fork.c
> +++ b/kernel/fork.c
> @@ -1951,9 +1951,11 @@ static void rv_task_fork(struct task_struct *p)
>
> static bool need_futex_hash_allocate_default(u64 clone_flags)
> {
> - if ((clone_flags & (CLONE_THREAD | CLONE_VM)) != (CLONE_THREAD | CLONE_VM))
> - return false;
> - return true;
> + /*
> + * Allocate a default futex hash for any sibling that will
> + * share the parent's mm, except vfork.
> + */
> + return (clone_flags & (CLONE_VM | CLONE_VFORK)) == CLONE_VM;
> }
>
> /*
> @@ -2380,10 +2382,6 @@ __latent_entropy struct task_struct *copy_process(
> if (retval)
> goto bad_fork_cancel_cgroup;
>
> - /*
> - * Allocate a default futex hash for the user process once the first
> - * thread spawns.
> - */
> if (need_futex_hash_allocate_default(clone_flags)) {
> retval = futex_hash_allocate_default();
> if (retval)
> --
> 2.34.1